Privacy

Introduction

This Privacy Policy describes the personal information that may be collected by the Australia Post Group (‘APG’, ‘we’ or ‘us’), the choices you can make about your personal information and how we protect your information. The APG incorporates all related bodies corporate and controlled entities, including StarTrack, SecurePay, POLi Payments, Decipha, Mail Call and MailPlus.

If you would like a printed version of this policy, you can print this page using your browser, or contact us for a copy. Our contact details are listed at the end of this Policy. Alternatively, a summarised version of this Privacy Policy is available in our retail outlets. Simply ask one of our staff for the brochure called “Australia Post, Privacy and You”.

To meet your expectations about privacy and confidentiality Australia Post has operational processes and procedures to comply with:

If you have any questions not addressed in this policy, please feel free to contact us using the methods at the end of this policy under the heading “How to contact Us”.

Your acknowledgement of our privacy policy

By using this website, you acknowledge that you’ve read and understood this privacy policy. Please note that this policy does not extend your rights or APG’s obligations beyond those defined in the legislation listed above.

Should there be any inconsistency between this policy, the Privacy Act and other Acts mentioned above, this policy shall be interpreted to give effect to and comply with the legislation.

This policy includes examples but is not intended to be restricted in its application to such examples. Where the word ‘including’ is used, it shall mean ‘including without limitation’.

Our websites contain links to non-APG websites. We are not responsible for the privacy policies of those other websites. We recommend you review the privacy policies of each site you visit.

Collection of personal information

‘Personal information’ means information we hold about you where your identity is either clear or can be reasonably determined. When you give us your personal information, it imposes a serious responsibility on us. Protecting your privacy when handling your personal information is very important to us and is fundamental to the way we serve you.

Generally, we will collect personal information directly from you, and only to the extent necessary to provide the product or service (including our agency functions) you requested or to carry out our internal administrative operations or meet relevant regulatory requirements. An ‘agency function’ means a service that we provide to you on behalf of another organisation, such as our POSTbillpay and Bank@Post services. We may also collect personal information for the purpose of enhancing our ability to improve service delivery to you and other customers in the future.

We may collect personal information from you when:

• you fill in an application form;

• deal with us over the telephone or over web chat;

• purchase a product or service in one of our retail outlets;

• register for, or use, our online products and services;

• e-mail us;

• create an account with us;

• participate in an online promotion;

• provide us with feedback;

• complete online surveys;

• contact, register with, post to, like or follow any of our social media websites, pages, forums or blogs; and

• ask us to contact you after visiting our web site.

We will collect personal information from you by lawful and fair means.

If you choose to not provide your personal information when requested, we may not be able to deliver the product or service that you have requested. We will endeavour to make this as clear as possible for each service.

In some cases, where it makes sense and is lawful, you can interact with us anonymously or by using a pseudonym (an alias). We will endeavour to make this option clear when it is available to you.

Information collected

As noted above, we will only collect personal information from you that’s necessary to provide the product or service or to carry out internal administrative functions, or any other personal information you submit to us. We collect different personal information depending on the product or service that you have requested. Some examples include:

• Parcels – When you ship a parcel with us we will capture the details of the parcel including shipping activities (for tracking purposes), the weight and dimensions of the parcel, and the sender and receiver details. This information allows us to route the package and to respond to queries from both the sender and the receiver.

· Mail Call – We collect your personal information when you communicate with us to inquire, book or pay for our courier services.

We may also collect personal information from third parties such as retailers, other individuals or any other third party in order to provide our courier services to you. In such instances we assume the person providing the information is authorised to provide us with your personal information. There may be occasions when we collect information about you from a third party where it is reasonably necessary or normal business practice to do so, for example from payment gateways relating to payments made through third party providers.

• Identity and Document Services – Given our broad presence across Australian communities, we provide a range of identity and document services that allow our customers to apply for ID cards (e.g., KeyPass), apply for government papers, apply for passports, and witness document as well as a broad range of other services. These services, performed on behalf of other organisations and agencies often require the collection of identity details such as name, address, and proof of identity details (e.g., drivers licence, passport number). We typically pass this information to the service provider and retain a copy in case there are problems with the processing of the transaction and to meet our legal obligations. After the retention period is over, your personal information is deleted.

• PostBillPay – When you pay your bills at Australia Post, we only capture enough information to ensure the right bill is paid. Generally, this includes a reference number for the bill and does not include your personal information.

If you attempt a PostBillPay One Off payment via the MyPost Digital Mailbox, we may also collect and temporarily store your financial information including bank account balances, bank account payment limits, a record of your previous banking transactions and information about your internet banking sessions. Information may also be collected about how you interact with PostBillPay. We collect information in a number of ways, including:

· where you provide information directly to us using PostBillPay using a computer or other device; and

· where we receive personal information from a biller with whom you deal and where you elect to use PostBillPay in respect of that biller.

• Newsletters – We offer a number of newsletters such as Our Neighbourhood, our Brand Hub, or Promotions and Offers. We collect your name and your email address which we keep until you choose to unsubscribe from this service.

• The Online Shop – When you register for an account with the Australia Post Online Shop, we collect basic contact details (name, address, phone, email) to simplify the checkout process for you and to allow you to sign-up to receiving related promotional offers.

• Mail Redirection Service – When you ask us to redirect your mail, we collect your personal information including name, old and new addresses, email address and phone number. Phone is captured to allow us to contact you in the event of issues with processing your request. Email address is captured to allow us to send you a notification when the service is ending and to allow you to sign-up for promotional offers if you request them. We also use this information to notify third parties of your address change if you sign up for this service. The remaining details are captured to allow us to redirect your mail.

o Securepay Gateway captures basic payment information and passes it through to the relevant financial institution.

o Securepay Online Payments serves as the merchant acquirer on behalf of merchant customers. In order to perform this service we are required to conduct Know Your Customer checks on merchants in order to appropriately assess credit risk.

• POLi Payments – We may also collect your financial information including bank account balances, bank account payment limits, a record of your previous banking transactions and information about your internet banking sessions. POLi may collect information in a number of ways, including:

o Where you provide information directly to us using the POLi Payments System using a computer or other device; and

o Where we receive personal information from merchants with whom you deal and where you elect to use the POLi Payments System in respect of that merchant.

· Decipha – We manage both physical and virtual mailrooms and fulfil inbound information management solutions, including various document processing services. We scan physical mail and use a wide range of technologies to accurately capture information, images and relevant data from both structured and unstructured forms. Decipha also securely track and expedite the handling of financial data and payments, and can scan and archive data for our merchant customers.

Mail Plus – Your personal information may be collected through the course of fulfilling our Pick-Up & Delivery Services, including but not limited to handling incoming and outgoing mail, parcel delivery and collection.

Unsolicited information

“Unsolicited” personal information is personal information about an individual that an organisation has unintentionally received. This is an uncommon occurrence for the APG, but when it does happen, we will protect your personal information with the same rigour as we treat personal information that we intended to collect. If we could not have collected this information through our normal processes, we will de-identify that information as soon as we can.

Uses and sharing

We use the personal information you provide only for purposes consistent with the reason you provided it, or for a directly related purpose. We may also use your personal information where required or permitted by law. We may also use your information where you have provided us with your express or implied consent.

We may also use your personal information, or aggregate your personal information with the personal information of other customers (so that the aggregated information is no longer personal) for the purposes of:

• analysis to help us better understand the needs of our customers so that we and third parties can better develop products and services for you;

• providing information that is tailored to what we believe are your areas of interest; and;

• analysing your product and services to improve your experience and to enable us to develop new or enhanced functionality for you.

We do not share your personal information with other organisations unless:

• you give us consent, or

• where sharing is otherwise required or permitted by law, or

• where this is necessary on a temporary basis to enable our contractors to perform specific functions.

We may contact you periodically to advise you of new or enhanced functionality which is available in connection with our products and services. You will not be obliged to adopt any such functionality.

When we temporarily provide personal information to companies who perform services for us, such as specialist information technology companies, mail houses or other contractors to Australia Post we require those companies to protect your personal information as diligently as we do. Strict contractual and other quality assurance measures are used to ensure your personal information is protected.

We have a strict duty to maintain the privacy of all personal information we hold about you. However, certain exceptions do apply. For example, where disclosure of your personal information is:

• Authorised or required by law (e.g. disclosure to various government departments and agencies such as the Australian Taxation Office, Centrelink, Child Support Agency, or disclosure to courts under subpoena).

• In the public interest (e.g. where a crime, fraud or misdemeanour is committed or suspected and disclosure against the customer’s rights to confidentiality is justified).

• With your consent – your consent may be implied or express and it may also be verbal or written.

Treatment of personal information with subsidiaries

APG can disclose personal information (excluding sensitive information) with subsidiaries and controlled entities as long as the purpose for sharing is related to the reason the personal information was originally collected. This excludes subsidiaries that are outside of Australia. Under these same terms, subsidiaries can share personal information with Australia Post.

Overseas use and disclosure

APG may transfer personal information to countries outside Australia (for example when you send correspondence overseas). We will only do so in compliance with all applicable Australian data protection and privacy laws. APG will take reasonable steps to protect personal information no matter what country it is stored in or transferred to. We have procedures and data transfer contracts as appropriate to help ensure this.

APG uses service providers in other countries as follows:

· Japan, Singapore, United Kingdom, United States of America, France, New Zealand, India and the Philippines.

Direct marketing

From time to time we may use the personal information we collect from you to identify particular APG products and services which we believe may be of interest to you. We may then contact you to let you know about these products and services and how they may benefit you. We will generally only do this with your prior consent (where practical) and we will always give you a choice to opt out of receiving such information in future.

Direct Marketing from APG generally takes the form of Direct Mail or Electronic Marketing (email). In rare cases, we may use Telemarketing. Each of these channels is handled as follows:

• Direct mail – Where we use your personal information to send you marketing information via the post we may do so with your implied consent or, if this is impracticable, we will ensure that you are provided with an opportunity to opt out of receiving future such communications. By not ticking a clearly displayed “opt out” box, we will assume we have your implied consent to receive similar marketing communications in the future. We will always ensure that our opt out notices are clear, conspicuous and easy to take up.

• Electronic marketing – Where we use your personal information to send you marketing information by e-mail, SMS, MMS or other electronic means we may do so with your express or implied consent. You may give us your express consent by, for example, ticking a box on an electronic or paper form where we seek your permission to send you electronic or other marketing information. Consent may be implied from our existing business relationship or where you have a reasonable expectation of receiving an electronic marketing communication.

• Telemarketing – Australia Post does not usually engage in telemarketing activities to our consumer customers. Generally, such marketing is only used in relation to our business customers. Should any consumer telemarketing be undertaken or authorised by Australia Post, we will, to the extent that it applies, comply with the relevant legislation (see above).

Every directly addressed marketing contact sent or made by Australia Post will include a means by which customers may unsubscribe (or opt out) of receiving further marketing information.

Additionally, you may instruct us at any time to remove any previous consent you provided to receive marketing communications from us. Requests should be directed to the APG Privacy Contact Officer via the channels provided under ‘How to contact us’.

Accessing your personal information

You have the right to request access to the personal information we hold about you. This right is subject to certain exceptions allowed by law.

Australia Post will, upon your request, and subject to applicable privacy laws, provide you with access to your personal information that is held by us. However, we ask that you identify, as clearly as possible, the type (or types) of information requested. APG will deal with your request in a reasonable time – usually within 30 days.

Exceptions

Your right to access your personal information is not absolute. In some circumstances, the law permits us to refuse your request to provide you with access to your personal information.

Freedom of information laws

In addition to privacy laws, you may have rights to access your personal information contained in certain APG documents. Details on how to apply for access to these documents are contained in the Freedom of Information Act 1982 (FOI Act).

More information is available at the Office of the Australian Information Commissioner’s freedom of information pages.

Updating your information

It is inevitable that some personal information which we hold will become out of date. We will take reasonable steps to ensure that the personal information which we hold remains accurate and, if you advise us of a change of details, we will amend our records accordingly.

Where your information has been disclosed to a third party, Australia Post will take reasonable steps to notify the third party of the correction.

Where we are unable to update your information, we will provide an explanation in writing as to why the information cannot be corrected.

We limit access to personal information to individuals with a business need consistent with the reason the information was provided. We keep personal information only for as long as it is required for business purposes or by the law.

We understand that you may be concerned about the security of the personal information we collect from you online.

Accordingly, we have systems in place to ensure our online dealings with you are as secure as your dealings with us in person, or on the telephone.

In those instances where we secure your personal information in transit to us and upon receipt, we use the industry standard encryption software, Secured Socket Layer (SSL) 128 bit encryption. The URL in your browser will change to “HTTPS” instead of “HTTP” when this security feature is invoked. Your browser may also display a lock symbol on its bottom task bar line to indicate this secure transmission is in place.

We employ security programs and services to monitor network traffic in order to identify attempts to breach our security.

Information collected on our websites

We may collect non-personal information from you such as browser type, operating system, and web pages visited to help us manage our web site.

We use cookies (see below) and other internet technologies to manage our website and certain online products and services. We do not use these technologies to collect or store personal information unless you have opted into such a feature. Where you’ve logged into our website we may reflect the products and services you use with your on-line behaviour to provide content that is of more interest to you.

Our internet server logs the following information which is provided by your browser for statistical and content optimisation and personalisation purposes:

• the address of any referring website (for example – the previous web site you visited), and

• your computer’s IP (Internet Protocol) address (a number which is unique to the machine through which you are connected to the internet).

All of this information is used by Australia Post for aggregated statistical analyses or systems administration purposes only. No attempt will be made to identify users or their browsing activities, except where required by law.

Cookies

A “cookie” is a packet of information stored on your computer that allows the Australia Post server to identify and interact more effectively with your computer.

Our websites use two different kinds of cookies:

• Session cookies – temporary cookies that only last until you close your browser

• Persistent cookies – cookies that are stored for a longer term on your computer.

Session cookies

When you access our web site, we send you a temporary cookie that gives you a unique identification number. A different identification number is sent each time you use our website. Cookies do not identify individual users, although they do identify a user’s internet browser type. When you close your browser, the cookie is deleted and no longer exists on your computer.

You are free to disable cookies in your browser (see details below). If you have disabled cookies you may not be able to take full advantage of all of our website features.

We use session cookies in the following manner:

• Log-on and log-off administration – Session cookies help with the log-on and log-off processes for those users who have decided to register to use one of our online services. The cookies enable us to recognize your user ID when you log on so that we do not establish a duplicate registration record for you.

• Transactions and site usability – We use session cookies to improve how you navigate through our website and conduct transactions. As examples, session cookies are used to maintain your online session as you browse over several pages; to store and pre-populate information so that you do not have to re-enter the same information twice. Session cookies may also be used to collect referral statistics when you click on a link or ad banner to or from auspost.com.au, and associated websites.

Persistent cookies

APG may also use “persistent cookies”. A persistent cookie is a small piece of text stored on your computer’s hard drive for a defined period of time, after which the cookie is erased. Australia Post will not collect or link to personal information through persistent cookies without your express consent.

We use persistent cookies as follows:

• Site usage measurement – Our site measurement tool uses a persistent cookie to assist us in measuring how and when our web site and its various components are used. It functions as a “visit cookie,” so we can determine if you are a repeat visitor to our site. This allows us to know if we are attracting new visitors and what aspects of the site seem most useful. The cookie will expire 30 days after your last visit.

• Log-off safety function – Australia Post uses a persistent cookie to automatically log you off certain Australia Post sites if there has been no activity for 15 minutes. This is done for your safety to ensure that, if you have finished using our site but have forgotten to log off, no one else can use your computer via your log on and password. The cookie is permanently removed from your computer when you log off, or, if you have closed the browser without logging off, it is removed within 15 minutes from your last activity.

• Longer-term cookies – Persistent cookies allow us, at your request, to recognise you when you return to auspost.com.au or to remember certain information that you have provided us. The recognition feature allows you to log on to certain Australia Post sites automatically, without having to enter your name and password each visit. The cookie assigns a random number to you, and allows us to track your site activity, but this is not linked to personal information. This allows us to personalise the site for you and tailor the content to your needs, for instance to show you banner ads about products you may be interested in.

• Click stream data – “Click stream data” is information which is derived from an analysis of your website activity based on the sequence of links which you click on while browsing our Website. When you visit the Website or use our products and services, we will collect this information for analysis, maintenance or reporting purposes and to improve the performance of our Website. This can include information such as your IP address, the duration of your visit and the date and time of your visit.

Other cookies allow us to remember certain information related to prior transactions, such as package tracking numbers, or mailing or address lists, so we may pre-populate those fields for you on return visits.

Cookie Management

You can configure your internet browser to accept all cookies, reject all cookies or notify you when a cookie is sent. Most browsers accept cookies by default. To learn more about cookies, including how to refuse cookies on your computer, click these links:

Links to other sites

The Australia Post site contains links to other sites. We are not responsible for the privacy practices or the content of such websites. We encourage you to read and understand the privacy policies on those websites prior to providing any information to them.

Some of the content appearing on the Australia Post website may be supplied by third parties, for example, by framing third party web sites or the incorporation through “framesets” of content supplied by third party application service providers. In such cases, Australia Post will ensure that our contractual arrangements with these third parties protect your personal information in compliance with privacy laws.

Searches

Search terms that you enter when using our search engine are collected, but are not associated with any other information that we collect. We use these search terms for the purpose of aggregated statistical analyses so we can ascertain what people are looking for on our website, and to improve the services that we provide.

We may use external companies to provide us with detailed aggregate statistical analyses of our website traffic. At no time is any personal information made available to these companies, nor is the aggregate information ever merged with personal information such as your name, address, email address or other information you would consider sensitive or would compromise your privacy.

Loss of personal information

Despite our every effort to protect your personal information, there remains the possibility that a breach of our security could occur. In the event of loss of personal information Australia Post will:

• Seek to rapidly identify and secure the breach to prevent any further breaches

• Engage the appropriate authorities where criminal activity is suspected

• Assess the nature and severity of the breach including the type of personal information involved and the risk of harm to affected individuals

• Notify the affected individuals directly if appropriate and where possible

• If appropriate, put a notice on our website advising our customers of the breach

• Notify the Privacy Commissioner (at the OAIC) if the breach is significant.

Children’s privacy

Australia Post believes it is important to provide added protection for children online. We encourage parents and guardians to spend time online with their children to participate in and monitor their online activity.

When we provide a product or service that intentionally collects personal information from children, we will give a notice specifying what information we are requesting, how we will use it, whether it will be shared with a third party, and a contact at Australia Post for questions. We will utilise the information only for the particular purpose for which it was given to us.

We will use reasonable efforts to verify parental consent prior to the collection and use of personal information from children under 16. The method of verification may vary according to the information, product, service or event in which the child wishes to participate. Consent may take a variety of forms including offline consent such as printing and submitting a permission form by mail or fax, or online consent such as by ticking an online check box that parental or guardian consent has been obtained.

We do not require parental or guardian consent in order to collect and use online or offline contact information to:

• respond directly to a child’s request on a one-time basis, or to answer a specific request, where the information is not intended to be used to re-contact the child for other purposes

• request the name or on-line contact information of a parent/guardian for the sole purpose of obtaining verifiable parental consent or providing parental notification

• respond directly more than once to a specific request from a child and the information is not intended to be used to recontact the child beyond the scope of the request

Australia Post will allow parents or guardians to review any personal information collected from their children, subject to verifying the identity of the consenting parent/guardian.

Parents/guardians may, at their discretion, revoke their consent and delete information collected from their children.

How to contact us

Australia Post is committed to working with its customers to obtain a fair resolution of any complaint or concern about privacy.

To contact us with a compliment or complaint or a privacy question, you can:

We will post changes to the Privacy Policy and publish the effective date when this policy is updated.

Last updated: September 2016

2016 update

The Privacy Policy was reviewed and updated in September 2016. This update took into consideration changes to the Australia Post Group corporate structure, including adding details about how and why information is collected by our controlled entities.

2015 update

The Privacy Policy was reviewed and updated in May 2015. This update was to: ensure the clarity and correctness of our privacy policy. In particular, we have added more details about the countries to which we disclose personal information. We have also clarified the role of the Australia Post Group and our subsidiaries.

2014 update

The Privacy Policy was reviewed and updated in February 2014. This update was to: ensure compliance with revised privacy legislation. Enhancements were added about how information is collected, used and disclosed. The language throughout was updated to improve readability.

2011 update

The Privacy Policy was reviewed and updated in July 2011. This update was to: ensure compliance with current legislation. No substantive changes were made to the Privacy Policy at this time.

Further information on privacy

You can obtain further general information about your privacy rights and Commonwealth privacy law from the Office of the Australian Information Commissioner by: